CVE-2022-31218: Drive Composer Link Following Local Privilege Escalation Vulnerability
First published: Wed Jun 15 2022(Updated: )
Vulnerabilities in the Drive Composer allow a low privileged attacker to create and write to a file anywhere on the file system as SYSTEM with arbitrary content as long as the file does not already exist. The Drive Composer installer file allows a low-privileged user to run a "repair" operation on the product.
Credit: cybersecurity@ch.abb.com cybersecurity@ch.abb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Abb Automation Builder | >=1.1.0<=2.5.0 | |
| Abb Drive Composer | >=2.0<2.7.1 | |
| Abb Drive Composer | >=2.0<2.7.1 | |
| ABB Mint Workbench | <=5866 |
Remedy
The problem is corrected in the following product versions: Drive Composer entry version 2.7.1 Drive Composer pro version 2.7.1 Customers using Drive composer pro integrated in ABB Automation Builder should refer to section “Workarounds” in this document. Mint WorkBench Build 5868 ABB recommends that customers apply the update at earliest convenience. Updated versions of Drive Composer are available immediately. ABB Automation Builder 2.5.1 and Mint WorkBench Build 5868 will be available before or during Q3/2022.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2022-31218?
CVE-2022-31218 is a vulnerability in the Drive Composer software that allows a low privileged attacker to create and write to a file anywhere on the file system as SYSTEM with arbitrary content.
How can an attacker exploit CVE-2022-31218?
An attacker with low privileges can exploit CVE-2022-31218 by running a "repair" operation on the Drive Composer installer file, which allows them to create and write to a file with arbitrary content.
Which software versions are affected by CVE-2022-31218?
The affected software versions include Abb Automation Builder (1.1.0 to 2.5.0), Abb Drive Composer (2.0 exclusive to 2.7.1 inclusive), Abb Drive Composer Pro (2.0 exclusive to 2.7.1 inclusive), and Abb Mint Workbench (up to version 5866).
What is the severity of CVE-2022-31218?
CVE-2022-31218 has a severity value of 7.8, which is considered high.
How do I fix CVE-2022-31218?
To fix CVE-2022-31218, it is recommended to update to the latest version of the affected software or apply the necessary patches provided by the vendor. More information can be found in the provided reference link.
- agent/author
- agent/type
- agent/weakness
- agent/references
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/severity
- agent/title
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/description
- agent/event
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/abb
- canonical/abb automation builder
- version/abb automation builder/1.1.0
- version/abb automation builder/2.5.0
- canonical/abb drive composer
- version/abb drive composer/2.0
- canonical/abb mint workbench
- version/abb mint workbench/5866